Fri, 28 Jul 2006

AFS as a backup mechanism

Create a cell, say, Use a separate database to translate bizare volume names into a particular backup set (say, ab.d92fgaf9a8as0 to backup of on 23 July 2005 03:28 UTC). You can mount these volumes in a tree, say /afs/ or /afs/ Set acls to use list so that machine admins can see files (prolly have to use hashed list names as well --- what is limit on pts list name length?) Can even acl off so that various people can see certain bits from machines.

Use rsync as backup mech, can do incrementals. Merge incrementals to create fulls.

To backup afs, vos dump volumes, suck back into the backup cell.

Posted at: 09:13 | category: /computers/backups | Link

Fri, 21 Jul 2006

Netbooting Idea

One issue with netbooting computers is that the standard processes --- get a network address, get a bootloader somehow, load a kernel, pull down an image --- are all pretty unauthenticated. You are trusting that the thing answering your dhcp query or the thing supplying you with an image is the thing you want to be talking to. For client machines this is bad enough, but what if you are wanting to deploy simple services? You want some greater degree of assurance.

What if you had some local store into which you could put some sort of credentials, say, a pgp key, or a certificate? It could be simple --- a compact flash plugged into the ide chain, or a usb keydrive plugged into an internal usb port. It could either contain your bootloader, or your firmware bootloader could use that credential to authenticate and encrypt bits of data. So, do a dhcp request, get a network address. Ask for a kernel with an embedded disk image. Take a couple hashes of what you get handed, use the certificate to securely query a service to verify that the hashes match. Start loading stuff. After the kernel boots, it could use that certificate to get other sensative data: pull down kerberos keytabs, ssh keys, etc. etc, from which more conventional methods of getting sensative data can be grabbed.

This seems to solve a few problems with the conventional method of doing netbooting:

Ideas? Potential flaws?

Posted at: 01:14 | category: /computers/netboot | Link